CVE-2026-33672
Method Injection vulnerability in picomatch (npm)

Method Injection No known exploit

What is CVE-2026-33672 About?

picomatch is vulnerable to a method injection, where specially crafted POSIX bracket expressions can inject inherited method names into generated regular expressions. This leads to incorrect glob matching behavior, potentially causing security-relevant logic errors instead of remote code execution. The exploit requires untrusted input and is relatively easy to trigger with specific patterns.

Affected Software

  • picomatch
    • <2.3.2
    • >=4.0.0, <4.0.4
    • >=3.0.0, <3.0.2

Technical Details

The picomatch library is susceptible to a method injection vulnerability (CWE-1321) affecting the POSIX_REGEX_SOURCE object. This object inherits from Object.prototype. An attacker can craft malicious POSIX bracket expressions, such as [[:constructor:]], which exploit this inheritance to reference and inject inherited method names into the regular expressions generated by the library. These method names are implicitly converted to strings and integrated into the regex. This injection results in incorrect glob matching behavior, where patterns may match unintended filenames, impacting the integrity of filtering, validation, or access control mechanisms relying on picomatch for pattern matching.

What is the Impact of CVE-2026-33672?

Successful exploitation may allow attackers to cause incorrect glob matching behavior, leading to security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.

What is the Exploitability of CVE-2026-33672?

Exploitation involves supplying specially crafted glob patterns to the picomatch library. The complexity is low to medium, as it requires knowledge of POSIX bracket expressions and Object.prototype inheritance. No authentication or specific privileges are required, as the vulnerability typically arises from processing untrusted user-controlled input. Access is remote if the application exposes an endpoint that accepts user-supplied glob patterns. The key condition is that picomatch must process untrusted or user-controlled glob patterns. Risk factors increase significantly in applications where glob matching dictates sensitive actions like file access or data validation.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-33672?

Available Upgrade Options

  • picomatch
    • <2.3.2 → Upgrade to 2.3.2
  • picomatch
    • >=3.0.0, <3.0.2 → Upgrade to 3.0.2
  • picomatch
    • >=4.0.0, <4.0.4 → Upgrade to 4.0.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-33672?

Similar Vulnerabilities: CVE-2024-4067 , CVE-2024-45296 , CVE-2023-38546 , CVE-2022-24364 , CVE-2020-28282

All Rights reserved 2025
Privacy Policy